Using Global Proxy Certificates

Note: This topic applies to the Framlingham Release.

As well as utilizing NTLM authentication to authenticate users, you can use client-side certificates to ensure only approved client devices have access to web filter policies. This provides an additional layer of security.

The same certificate is used by all devices. You must download the client certificate from the Smoothwall licensed for Secure Global Proxy, and install them on the relevant devices.

Note: The home page of the device’s browser must be set to the external IP address of your Smoothwall, and port 62444, to validate the certificate before web traffic is allowed through.

Many client devices and applications require the device identification certificate to be password-protected, such as devices running iOS. Before downloading the certificate, you must set the password used.

If a password is required, enter it into the Certificate password box.

4.

Click Download certificate.

5.

Copy this certificate into the relevant devices' internal storage, and import it into the browsers.

It is not recommended you configure an unsecured (open) proxy as this has security implications. If you configure Secure Global Proxy as an open proxy, connecting clients do not need to present the client-side certificate, although NTLM authentication is still required. Open proxies allow all connection attempts through without authentication, and can potentially be exploited by users, such as spammers.

To remove the need for client-side certificate checking, do the following:

1.

Go to Web proxy > Global Proxy > Settings.

2.

From the Device identification section, select No identification (Open proxy).

Secure Global Proxy servers which are part of a centrally managed solution should have the Certificate Authority uploaded to them via replication. If this does not happen, you should manually export, then import the Certificate Authority.